S ECURE AND ANONYMOUS HYBRID E NCRYPTION FROM C ODING T HEORY Edoardo Persichetti University of Warsaw 06 June 2013 (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 1 / 20
SECURE AND ANONYMOUS HYBRID
ENCRYPTION FROM CODING THEORY
Edoardo Persichetti
University of Warsaw
06 June 2013
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 1 / 20
Part I
PRELIMINARIES
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 2 / 20
ERROR-CORRECTING CODES
[n, k ] LINEAR CODE OVER Fq
A subspace of dimension k of Fnq .
w-error correcting: exists decoding algorithm that corrects up to werrors occurred on a codeword.
HAMMING WEIGHT
Number of non-zero entries: wt(x) = |{i : xi 6= 0,1 ≤ i ≤ n}|.
PARITY-CHECK MATRIX
H ∈ F(n−k)×nq defines the code as follows: x∈C ⇐⇒ HxT = 0.
Systematic form: (M|In−k ).
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 3 / 20
ERROR-CORRECTING CODES
[n, k ] LINEAR CODE OVER Fq
A subspace of dimension k of Fnq .
w-error correcting: exists decoding algorithm that corrects up to werrors occurred on a codeword.
HAMMING WEIGHT
Number of non-zero entries: wt(x) = |{i : xi 6= 0,1 ≤ i ≤ n}|.
PARITY-CHECK MATRIX
H ∈ F(n−k)×nq defines the code as follows: x∈C ⇐⇒ HxT = 0.
Systematic form: (M|In−k ).
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 3 / 20
ERROR-CORRECTING CODES
[n, k ] LINEAR CODE OVER Fq
A subspace of dimension k of Fnq .
w-error correcting: exists decoding algorithm that corrects up to werrors occurred on a codeword.
HAMMING WEIGHT
Number of non-zero entries: wt(x) = |{i : xi 6= 0,1 ≤ i ≤ n}|.
PARITY-CHECK MATRIX
H ∈ F(n−k)×nq defines the code as follows: x∈C ⇐⇒ HxT = 0.
Systematic form: (M|In−k ).
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 3 / 20
CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES
McEliece: first cryptosystem using error correcting codes (1978).
Based on the hardness of decoding random linear codes.
“Dual” version proposed by Niederreiter (1985).
PROBLEM (COMPUTATIONAL SYNDROME DECODING)
Given: H ∈ F(n−k)×nq , y ∈ F(n−k)
q and w ∈ N.Goal: find a word e ∈ Fn
q with wt(e) ≤ w such that HeT = y.
Unique solution and hardness only if w is below a certain threshold(GV bound).
If H defines an error-correcting code, we have a trapdoor: specialdescription ∆ allows decoding algorithm to correct errors.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 4 / 20
CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES
McEliece: first cryptosystem using error correcting codes (1978).
Based on the hardness of decoding random linear codes.
“Dual” version proposed by Niederreiter (1985).
PROBLEM (COMPUTATIONAL SYNDROME DECODING)
Given: H ∈ F(n−k)×nq , y ∈ F(n−k)
q and w ∈ N.Goal: find a word e ∈ Fn
q with wt(e) ≤ w such that HeT = y.
Unique solution and hardness only if w is below a certain threshold(GV bound).
If H defines an error-correcting code, we have a trapdoor: specialdescription ∆ allows decoding algorithm to correct errors.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 4 / 20
CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES
McEliece: first cryptosystem using error correcting codes (1978).
Based on the hardness of decoding random linear codes.
“Dual” version proposed by Niederreiter (1985).
PROBLEM (COMPUTATIONAL SYNDROME DECODING)
Given: H ∈ F(n−k)×nq , y ∈ F(n−k)
q and w ∈ N.Goal: find a word e ∈ Fn
q with wt(e) ≤ w such that HeT = y.
Unique solution and hardness only if w is below a certain threshold(GV bound).
If H defines an error-correcting code, we have a trapdoor: specialdescription ∆ allows decoding algorithm to correct errors.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 4 / 20
CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES
McEliece: first cryptosystem using error correcting codes (1978).
Based on the hardness of decoding random linear codes.
“Dual” version proposed by Niederreiter (1985).
PROBLEM (COMPUTATIONAL SYNDROME DECODING)
Given: H ∈ F(n−k)×nq , y ∈ F(n−k)
q and w ∈ N.Goal: find a word e ∈ Fn
q with wt(e) ≤ w such that HeT = y.
Unique solution and hardness only if w is below a certain threshold(GV bound).
If H defines an error-correcting code, we have a trapdoor: specialdescription ∆ allows decoding algorithm to correct errors.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 4 / 20
CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES
McEliece: first cryptosystem using error correcting codes (1978).
Based on the hardness of decoding random linear codes.
“Dual” version proposed by Niederreiter (1985).
PROBLEM (COMPUTATIONAL SYNDROME DECODING)
Given: H ∈ F(n−k)×nq , y ∈ F(n−k)
q and w ∈ N.Goal: find a word e ∈ Fn
q with wt(e) ≤ w such that HeT = y.
Unique solution and hardness only if w is below a certain threshold(GV bound).
If H defines an error-correcting code, we have a trapdoor: specialdescription ∆ allows decoding algorithm to correct errors.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 4 / 20
NIEDERREITER, REVISITED
KEY GENERATION
Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.
ENCRYPTION
Message is a word e ∈ Fn2 of weight w .
c = HeT .
DECRYPTION
Set e = Decode∆(c) and return e.Return ⊥ if decoding fails.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 5 / 20
NIEDERREITER, REVISITED
KEY GENERATION
Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.
ENCRYPTION
Message is a word e ∈ Fn2 of weight w .
c = HeT .
DECRYPTION
Set e = Decode∆(c) and return e.Return ⊥ if decoding fails.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 5 / 20
NIEDERREITER, REVISITED
KEY GENERATION
Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.
ENCRYPTION
Message is a word e ∈ Fn2 of weight w .
c = HeT .
DECRYPTION
Set e = Decode∆(c) and return e.Return ⊥ if decoding fails.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 5 / 20
Part II
HYBRID ENCRYPTION
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 6 / 20
MOTIVATION
Purpose of public-key encryption: encrypt key for symmetric scheme.
Niederreiter cryptosystem requires use of constant-weight encodingfunctions to transform symmetric key into fixed-weight string e.
Can do this in a more efficient way: build a KEM based onNiederreiter’s assumptions.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 7 / 20
MOTIVATION
Purpose of public-key encryption: encrypt key for symmetric scheme.
Niederreiter cryptosystem requires use of constant-weight encodingfunctions to transform symmetric key into fixed-weight string e.
Can do this in a more efficient way: build a KEM based onNiederreiter’s assumptions.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 7 / 20
MOTIVATION
Purpose of public-key encryption: encrypt key for symmetric scheme.
Niederreiter cryptosystem requires use of constant-weight encodingfunctions to transform symmetric key into fixed-weight string e.
Can do this in a more efficient way: build a KEM based onNiederreiter’s assumptions.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 7 / 20
THE KEM-DEM FRAMEWORK
Introduced by Cramer and Shoup (2001), combines the actions of twoindependent mechanisms.
KEY ENCAPSULATION MECHANISM (KEM)Keygen: generates private key SK and public key PK.EncKEM (PK): produces a symmetric key K and a ciphertext c0.DecKEM (SK, c0): returns the symmetric key K (or ⊥).
DATA ENCAPSULATION MECHANISM (DEM)EncDEM(K ,m): produces the ciphertext c1.DecDEM(K , c1): returns the plaintext m (or ⊥).
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 8 / 20
THE KEM-DEM FRAMEWORK
Introduced by Cramer and Shoup (2001), combines the actions of twoindependent mechanisms.
KEY ENCAPSULATION MECHANISM (KEM)Keygen: generates private key SK and public key PK.EncKEM (PK): produces a symmetric key K and a ciphertext c0.DecKEM (SK, c0): returns the symmetric key K (or ⊥).
DATA ENCAPSULATION MECHANISM (DEM)EncDEM(K ,m): produces the ciphertext c1.DecDEM(K , c1): returns the plaintext m (or ⊥).
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 8 / 20
THE KEM-DEM FRAMEWORK
Introduced by Cramer and Shoup (2001), combines the actions of twoindependent mechanisms.
KEY ENCAPSULATION MECHANISM (KEM)Keygen: generates private key SK and public key PK.EncKEM (PK): produces a symmetric key K and a ciphertext c0.DecKEM (SK, c0): returns the symmetric key K (or ⊥).
DATA ENCAPSULATION MECHANISM (DEM)EncDEM(K ,m): produces the ciphertext c1.DecDEM(K , c1): returns the plaintext m (or ⊥).
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 8 / 20
HYBRID ENCRYPTION
HYBRID ENCRYPTION SCHEME
Keygen: generates private key SK and public key PK.
EncHY (PK,m):Run EncKEM (PK) and get (K , c0).Run EncDEM(K ,m) and get c1.Final ciphertext c = (c0, c1).
DecHY (SK, c):Run DecKEM (SK,c0) and get K .Run DecDEM(K , c1) and recover m.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 9 / 20
SECURITY
Independent components with separate security definitions, however
IND-CCA secure KEM + IND-CCA secure DEM =⇒IND-CCA secure hybrid scheme!
DEM: usual symmetric encryption IND-CCA requirement.Can use any symmetric scheme (e.g. one-time pad) + MAC.
IND-CCA SECURITY FOR KEMGet public key PK.Perform decryption queries.Challenge ciphertext: (K ∗, c∗) either honestly obtained (b = 1)by EncKEM (PK) or by choosing K ∗ as a random string (b = 0).Perform decryption queries ( 6= c∗).Return b∗.
AdvKEM(A, λ) =∣∣∣Pr[b∗ = b]− 1/2
∣∣∣
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 10 / 20
SECURITY
Independent components with separate security definitions, however
IND-CCA secure KEM + IND-CCA secure DEM =⇒IND-CCA secure hybrid scheme!
DEM: usual symmetric encryption IND-CCA requirement.Can use any symmetric scheme (e.g. one-time pad) + MAC.
IND-CCA SECURITY FOR KEMGet public key PK.Perform decryption queries.Challenge ciphertext: (K ∗, c∗) either honestly obtained (b = 1)by EncKEM (PK) or by choosing K ∗ as a random string (b = 0).Perform decryption queries ( 6= c∗).Return b∗.
AdvKEM(A, λ) =∣∣∣Pr[b∗ = b]− 1/2
∣∣∣
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 10 / 20
SECURITY
Independent components with separate security definitions, however
IND-CCA secure KEM + IND-CCA secure DEM =⇒IND-CCA secure hybrid scheme!
DEM: usual symmetric encryption IND-CCA requirement.Can use any symmetric scheme (e.g. one-time pad) + MAC.
IND-CCA SECURITY FOR KEMGet public key PK.Perform decryption queries.Challenge ciphertext: (K ∗, c∗) either honestly obtained (b = 1)by EncKEM (PK) or by choosing K ∗ as a random string (b = 0).Perform decryption queries ( 6= c∗).Return b∗.
AdvKEM(A, λ) =∣∣∣Pr[b∗ = b]− 1/2
∣∣∣
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 10 / 20
SECURITY
Independent components with separate security definitions, however
IND-CCA secure KEM + IND-CCA secure DEM =⇒IND-CCA secure hybrid scheme!
DEM: usual symmetric encryption IND-CCA requirement.Can use any symmetric scheme (e.g. one-time pad) + MAC.
IND-CCA SECURITY FOR KEMGet public key PK.Perform decryption queries.Challenge ciphertext: (K ∗, c∗) either honestly obtained (b = 1)by EncKEM (PK) or by choosing K ∗ as a random string (b = 0).Perform decryption queries ( 6= c∗).Return b∗.
AdvKEM(A, λ) =∣∣∣Pr[b∗ = b]− 1/2
∣∣∣(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 10 / 20
NIEDERREITER KEM
Secure in Random Oracle model, makes use of Key DerivationFunction (KDF), e.g. SHA-3.
KEY GENERATION
Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.
ENCRYPTION
Choose a random word e ∈ Fn2 of weight w .
K = KDF (e), c0 = HeT .
DECRYPTION
Set e = Decode∆(c0) and return K = KDF (e).Return KDF (c0) if decoding fails.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 11 / 20
NIEDERREITER KEM
Secure in Random Oracle model, makes use of Key DerivationFunction (KDF), e.g. SHA-3.
KEY GENERATION
Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.
ENCRYPTION
Choose a random word e ∈ Fn2 of weight w .
K = KDF (e), c0 = HeT .
DECRYPTION
Set e = Decode∆(c0) and return K = KDF (e).Return KDF (c0) if decoding fails.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 11 / 20
NIEDERREITER KEM
Secure in Random Oracle model, makes use of Key DerivationFunction (KDF), e.g. SHA-3.
KEY GENERATION
Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.
ENCRYPTION
Choose a random word e ∈ Fn2 of weight w .
K = KDF (e), c0 = HeT .
DECRYPTION
Set e = Decode∆(c0) and return K = KDF (e).Return KDF (c0) if decoding fails.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 11 / 20
NIEDERREITER KEM
Secure in Random Oracle model, makes use of Key DerivationFunction (KDF), e.g. SHA-3.
KEY GENERATION
Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.
ENCRYPTION
Choose a random word e ∈ Fn2 of weight w .
K = KDF (e), c0 = HeT .
DECRYPTION
Set e = Decode∆(c0) and return K = KDF (e).Return KDF (c0) if decoding fails.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 11 / 20
PROOF OF SECURITY (SKETCH)
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for SDP such that
AdvKEM(A, λ) ≤ AdvSDP(A′, λ) + nDEC/N.
Model KDF as a random oracle H.
Game 0: the KEM security game.
Game 1: halt if challenge ciphertext c∗0 = He∗T had beenpreviously queried.Game 2: generate c∗0 at beginning and halt if H queried at e∗.Use adversary A′ as a simulator.
Simulation possible thanks to modification in the decryption algorithm.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 12 / 20
PROOF OF SECURITY (SKETCH)
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for SDP such that
AdvKEM(A, λ) ≤ AdvSDP(A′, λ) + nDEC/N.
Model KDF as a random oracle H.
Game 0: the KEM security game.
Game 1: halt if challenge ciphertext c∗0 = He∗T had beenpreviously queried.Game 2: generate c∗0 at beginning and halt if H queried at e∗.Use adversary A′ as a simulator.
Simulation possible thanks to modification in the decryption algorithm.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 12 / 20
PROOF OF SECURITY (SKETCH)
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for SDP such that
AdvKEM(A, λ) ≤ AdvSDP(A′, λ) + nDEC/N.
Model KDF as a random oracle H.
Game 0: the KEM security game.
Game 1: halt if challenge ciphertext c∗0 = He∗T had beenpreviously queried.Game 2: generate c∗0 at beginning and halt if H queried at e∗.Use adversary A′ as a simulator.
Simulation possible thanks to modification in the decryption algorithm.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 12 / 20
PROOF OF SECURITY (SKETCH)
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for SDP such that
AdvKEM(A, λ) ≤ AdvSDP(A′, λ) + nDEC/N.
Model KDF as a random oracle H.
Game 0: the KEM security game.
Game 1: halt if challenge ciphertext c∗0 = He∗T had beenpreviously queried.
Game 2: generate c∗0 at beginning and halt if H queried at e∗.Use adversary A′ as a simulator.
Simulation possible thanks to modification in the decryption algorithm.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 12 / 20
PROOF OF SECURITY (SKETCH)
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for SDP such that
AdvKEM(A, λ) ≤ AdvSDP(A′, λ) + nDEC/N.
Model KDF as a random oracle H.
Game 0: the KEM security game.
Game 1: halt if challenge ciphertext c∗0 = He∗T had beenpreviously queried.Game 2: generate c∗0 at beginning and halt if H queried at e∗.Use adversary A′ as a simulator.
Simulation possible thanks to modification in the decryption algorithm.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 12 / 20
PROOF OF SECURITY (SKETCH)
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for SDP such that
AdvKEM(A, λ) ≤ AdvSDP(A′, λ) + nDEC/N.
Model KDF as a random oracle H.
Game 0: the KEM security game.
Game 1: halt if challenge ciphertext c∗0 = He∗T had beenpreviously queried.Game 2: generate c∗0 at beginning and halt if H queried at e∗.Use adversary A′ as a simulator.
Simulation possible thanks to modification in the decryption algorithm.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 12 / 20
THE SIMULATOR
A′ has to solve an instance (H, y ,w) of SDP. Interaction with A:
KEY GENERATION
Set PK= H and give PK to A.
CHALLENGE QUERIES
Set c∗ = y and K ∗ random string and give (K ∗, c∗) to A.
RANDOM ORACLE QUERIES
Receive query e and compute s = HeT . If s = y then win the gameand halt. Otherwise, generate K at random.
DECRYPTION QUERIES
Receive query c0 and reply with a random string K .
Use of tables to guarantee integrity.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 13 / 20
THE SIMULATOR
A′ has to solve an instance (H, y ,w) of SDP. Interaction with A:
KEY GENERATION
Set PK= H and give PK to A.
CHALLENGE QUERIES
Set c∗ = y and K ∗ random string and give (K ∗, c∗) to A.
RANDOM ORACLE QUERIES
Receive query e and compute s = HeT . If s = y then win the gameand halt. Otherwise, generate K at random.
DECRYPTION QUERIES
Receive query c0 and reply with a random string K .
Use of tables to guarantee integrity.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 13 / 20
THE SIMULATOR
A′ has to solve an instance (H, y ,w) of SDP. Interaction with A:
KEY GENERATION
Set PK= H and give PK to A.
CHALLENGE QUERIES
Set c∗ = y and K ∗ random string and give (K ∗, c∗) to A.
RANDOM ORACLE QUERIES
Receive query e and compute s = HeT . If s = y then win the gameand halt. Otherwise, generate K at random.
DECRYPTION QUERIES
Receive query c0 and reply with a random string K .
Use of tables to guarantee integrity.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 13 / 20
THE SIMULATOR
A′ has to solve an instance (H, y ,w) of SDP. Interaction with A:
KEY GENERATION
Set PK= H and give PK to A.
CHALLENGE QUERIES
Set c∗ = y and K ∗ random string and give (K ∗, c∗) to A.
RANDOM ORACLE QUERIES
Receive query e and compute s = HeT . If s = y then win the gameand halt. Otherwise, generate K at random.
DECRYPTION QUERIES
Receive query c0 and reply with a random string K .
Use of tables to guarantee integrity.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 13 / 20
THE SIMULATOR
A′ has to solve an instance (H, y ,w) of SDP. Interaction with A:
KEY GENERATION
Set PK= H and give PK to A.
CHALLENGE QUERIES
Set c∗ = y and K ∗ random string and give (K ∗, c∗) to A.
RANDOM ORACLE QUERIES
Receive query e and compute s = HeT . If s = y then win the gameand halt. Otherwise, generate K at random.
DECRYPTION QUERIES
Receive query c0 and reply with a random string K .
Use of tables to guarantee integrity.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 13 / 20
THE SIMULATOR
A′ has to solve an instance (H, y ,w) of SDP. Interaction with A:
KEY GENERATION
Set PK= H and give PK to A.
CHALLENGE QUERIES
Set c∗ = y and K ∗ random string and give (K ∗, c∗) to A.
RANDOM ORACLE QUERIES
Receive query e and compute s = HeT . If s = y then win the gameand halt. Otherwise, generate K at random.
DECRYPTION QUERIES
Receive query c0 and reply with a random string K .
Use of tables to guarantee integrity.(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 13 / 20
Part III
ANONYMITY
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 14 / 20
INTRODUCTION
Increasingly important notion in the community.
Key Privacy vs Data Privacy
IK-CCA SECURITY FOR PKEGet two public keys PK0 and PK1.Perform decryption queries (for either).Choose message m. Challenge ciphertext: c∗ =Enc(PKb,m) forb ∈ {0,1}.Perform decryption queries ( 6= c∗).Return b.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 15 / 20
INTRODUCTION
Increasingly important notion in the community.
Key Privacy vs Data Privacy
IK-CCA SECURITY FOR PKEGet two public keys PK0 and PK1.Perform decryption queries (for either).Choose message m. Challenge ciphertext: c∗ =Enc(PKb,m) forb ∈ {0,1}.Perform decryption queries ( 6= c∗).Return b.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 15 / 20
INTRODUCTION
Increasingly important notion in the community.
Key Privacy vs Data Privacy
IK-CCA SECURITY FOR PKEGet two public keys PK0 and PK1.Perform decryption queries (for either).Choose message m. Challenge ciphertext: c∗ =Enc(PKb,m) forb ∈ {0,1}.Perform decryption queries ( 6= c∗).Return b.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 15 / 20
ANONYMITY FOR CODE-BASED SCHEMES
“Plain” Niederreiter (or McEliece) scheme: not secure.
IND-CPA “randomized” variant by Nojima et al.: IK-CPA secure(Yamakawa et al., 2007).
What about hybrid encryption? Unfortunately
IK-CCA secure KEM + IK-CCA secure DEM 6=⇒IK-CCA secure hybrid scheme
(Mohassel, 2010)
We prove IK-CCA security for our scheme directly.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 16 / 20
ANONYMITY FOR CODE-BASED SCHEMES
“Plain” Niederreiter (or McEliece) scheme: not secure.
IND-CPA “randomized” variant by Nojima et al.: IK-CPA secure(Yamakawa et al., 2007).
What about hybrid encryption? Unfortunately
IK-CCA secure KEM + IK-CCA secure DEM 6=⇒IK-CCA secure hybrid scheme
(Mohassel, 2010)
We prove IK-CCA security for our scheme directly.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 16 / 20
ANONYMITY FOR CODE-BASED SCHEMES
“Plain” Niederreiter (or McEliece) scheme: not secure.
IND-CPA “randomized” variant by Nojima et al.: IK-CPA secure(Yamakawa et al., 2007).
What about hybrid encryption?
Unfortunately
IK-CCA secure KEM + IK-CCA secure DEM 6=⇒IK-CCA secure hybrid scheme
(Mohassel, 2010)
We prove IK-CCA security for our scheme directly.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 16 / 20
ANONYMITY FOR CODE-BASED SCHEMES
“Plain” Niederreiter (or McEliece) scheme: not secure.
IND-CPA “randomized” variant by Nojima et al.: IK-CPA secure(Yamakawa et al., 2007).
What about hybrid encryption? Unfortunately
IK-CCA secure KEM + IK-CCA secure DEM 6=⇒IK-CCA secure hybrid scheme
(Mohassel, 2010)
We prove IK-CCA security for our scheme directly.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 16 / 20
ANONYMITY FOR CODE-BASED SCHEMES
“Plain” Niederreiter (or McEliece) scheme: not secure.
IND-CPA “randomized” variant by Nojima et al.: IK-CPA secure(Yamakawa et al., 2007).
What about hybrid encryption? Unfortunately
IK-CCA secure KEM + IK-CCA secure DEM 6=⇒IK-CCA secure hybrid scheme
(Mohassel, 2010)
We prove IK-CCA security for our scheme directly.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 16 / 20
PROOF OF SECURITY (SKETCH)
ALTERNATIVE DEFINITION OF ADV
Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]
∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that
AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.
Model KDF as a random oracle H.
Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 17 / 20
PROOF OF SECURITY (SKETCH)
ALTERNATIVE DEFINITION OF ADV
Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]
∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that
AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.
Model KDF as a random oracle H.
Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 17 / 20
PROOF OF SECURITY (SKETCH)
ALTERNATIVE DEFINITION OF ADV
Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]
∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that
AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.
Model KDF as a random oracle H.
Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 17 / 20
PROOF OF SECURITY (SKETCH)
ALTERNATIVE DEFINITION OF ADV
Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]
∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that
AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.
Model KDF as a random oracle H.
Game 0: the KEM security game.
Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 17 / 20
PROOF OF SECURITY (SKETCH)
ALTERNATIVE DEFINITION OF ADV
Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]
∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that
AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.
Model KDF as a random oracle H.
Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.
Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 17 / 20
PROOF OF SECURITY (SKETCH)
ALTERNATIVE DEFINITION OF ADV
Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]
∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that
AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.
Model KDF as a random oracle H.
Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.
Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 17 / 20
PROOF OF SECURITY (SKETCH)
ALTERNATIVE DEFINITION OF ADV
Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]
∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that
AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.
Model KDF as a random oracle H.
Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 17 / 20
Part IV
CONCLUSIONS
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 18 / 20
CONCLUSIONS
First KEM based directly on coding theory problem.
Simple construction and tight security proof.
Extending (Yamakawa et al., 2007), obtains IK-CCA security.
Implementation?
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 19 / 20
CONCLUSIONS
First KEM based directly on coding theory problem.
Simple construction and tight security proof.
Extending (Yamakawa et al., 2007), obtains IK-CCA security.
Implementation?
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 19 / 20
CONCLUSIONS
First KEM based directly on coding theory problem.
Simple construction and tight security proof.
Extending (Yamakawa et al., 2007), obtains IK-CCA security.
Implementation?
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 19 / 20
CONCLUSIONS
First KEM based directly on coding theory problem.
Simple construction and tight security proof.
Extending (Yamakawa et al., 2007), obtains IK-CCA security.
Implementation?
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 19 / 20
Merci beaucoup
Thank you
Grazie
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 20 / 20